Simultaneous electronic transactions with visible trusted parties

ABSTRACT

A number of electronic communications methods are described involving a first and a second party (i.e., sender and recipient), with assistance from at least a trusted party, enabling electronic transactions in which the first party has a message for the second party. The first party, the second party and the trusted party undertake an exchange of transmissions, such that if all transmissions reach their destinations the second party only receives the message if the first party receives at least one receipt. Preferably, the identity of the first party is temporarily withheld from the second party during the transaction. At least one receipt received to the first party enables the first party to prove the content of the message received by the second party.

RELATED APPLICATION

This application is a continuation of Ser. No. 08/700,270, filed Aug.20, 1996, now U.S. Pat. No. 5,629,982, which is a a continuation ofapplication Ser. No. 08/511,518 filed on Aug. 4, 1995 now U.S. Pat. No.5,553,145, which is a continuation-in-part of prior application Ser. No.08/408,551, filed Mar. 21, 1995 now abandoned.

TECHNICAL FIELD

The present invention relates generally to electronic commerce andtransactions and more particularly to techniques for enabling users toeffect certified mail, contract signing and other electronicnotarization functions.

BACKGROUND OF THE INVENTION

The value of many transactions depends crucially on their simultaneity.Indeed, simultaneity may be so important to certain financialtransactions that entities often are willing to incur greatinconvenience and expense to achieve it. For example, consider thesituation where two parties have negotiated an important contract thatthey now intend to "close." Often, the parties find it necessary to signthe document simultaneously, and thus they meet in the same place towatch each other's actions. Another example is the process of certifiedmail, where ideally the sender of a message desires that the recipientget the message simultaneously with the sender's obtaining a "receipt".A common certified mail procedure requires a person who delivers themail to personally reach the recipient and obtain a signedacknowledgment when the message is delivered. This acknowledgment isthen shipped to the sender. Again, this practice is costly and timeconsuming. Moreover, such acknowledgments do not indicate the content ofthe message.

In recent years, the cost, efficiency and convenience of manytransactions have been improved tremendously by the availability ofelectronic networks, such as computer, telephone, fax, broadcasting andothers. Yet more recently, digital signatures and public-key encryptionhave added much needed security to these electronic networks, makingsuch communication channels particularly suitable for financialtransactions. Nevertheless, while electronic communications providespeed, they do not address simultaneity.

The absence of simultaneity from electronic transactions severallylimits electronic commerce. In particular, heretofore there has been noeffective way of building so-called simultaneous electronic transactions("SET's"). As used herein, a SET is an electronic transaction that issimultaneous at least in a "logically equivalent" way, namely it isguaranteed that certain actions will take place if and only if certainother actions take place. One desirable SET would be certified mail,however, the prior art has not addressed this problem effectively. Thiscan be seen by the following consideration of a hypothetical example,called ideal certified mail or "ICM". In an ICM transaction, there is asender, Alice, who wishes to deliver a given message to an intendedrecipient, Bob. This delivery should satisfy three main properties.First, Bob cannot refuse to receive the message. Second Alice gets areceipt for the message if and only if Bob gets the message. Third,Alice's receipt should not be "generic," but closely related to themessage itself. Simultaneity is important in this transaction. Forinstance, Alice's message could be an electronic payment to Bob, and itis desired that she obtains a simultaneous receipt if possible.

Alice could try to get a receipt from Bob of a message m in thefollowing way. Clearly, sending m to Bob in the clear as her firstcommunication does not work. Should this message be her digitalsignature of an electronic payment, a malicious Bob may lose anyinterest in continuing the conversation so as to deprive Alice of herreceipt. On the other hand, asking Bob to send first a "blind" receiptmay not be acceptable to him.

Another alternative is that Alice first sends Bob an encryption of m.Second, Bob sends Alice his digital signature of this ciphertext as an"intermediate" receipt. Third, Alice sends him the decryption key.Fourth, Bob sends Alice a receipt for this key. Unfortunately, even thistransaction is not secure, because Bob, after learning the message whenreceiving Alice's key, may refuse to send her any receipt. (On the otherhand, one cannot consider Bob's signature of the encrypted message as avalid receipt, because Alice may never send him the decryption key.)

These problems do not disappear by simply adding a few more rounds ofcommunication, typically consisting of "acknowledgments". Usually, suchadditional rounds make it more difficult to see where the lack ofsimultaneity lies, but they do not solve the problems.

Various cryptographic approaches exist in the literature that attempt tosolve similar problems, but they are not satisfactory in many respects.Some of these methods applicable to multi-party scenarios propose use ofverifiable secret sharing (see, for example, Chor et al), or multi-partyprotocols (as envisioned by Goldreich et al) for making simultaneoussome specific transactions between parties. Unfortunately, these methodsrequire a plurality of parties, the majority of which are honest. Thus,they do not envision simultaneous transactions involving only twoparties. Indeed, if the majority of two parties are honest then bothparties are honest, and thus simultaneity would not be a problem.Moreover, even in a multi-party situation, the complexity of these priorart methods and their amount and type of communication (typically, theyuse several rounds of broadcasting), make them generally impractical.

Sophisticated cryptographic transactions between just two parties havebeen developed but these also are not simultaneous. Indeed, if just twopeople send each other strings back and forth, and each one of themexpects to compute his own result from this conversation, the first toobtain the desired result may stop all communications, thereby deprivingthe other of his or her result. Nonetheless, attempts at providingsimultaneity for two-party transactions have been made, but by usingassumptions or methods that are unsatisfactory in various ways.

For example, Blum describes transactions that include contract signingand certified mail and that relies on the two parties having roughlyequal computing power or knowledge of algorithms. These assumptions,however, do not always hold and are hard to check or enforce anyway. Inaddition, others have discovered ways to attack this rather complexmethod. A similar approach to simultaneity has also been proposed byEven Goldreich and Lempel. In another Blum method for achievingsimultaneous certified mail, Alice does not know whether she got a validreceipt. She must go to court to determine this, and this is undesirableas well.

A method of Luby et al allows two parties to exchange the decryption oftwo given ciphertexts in a special way, namely, for both parties theprobability that one has to guess correctly the cleartext of the otheris slowly increased towards 100%. This method, however, does not enablethe parties to achieve guaranteed simultaneity if one party learns thecleartext of the other's ciphertext with absolute certainty (e.g., byobtaining the decryption key); then he can deny the other a similarsuccess.

For this reasons several researchers have tried to make simultaneoustwo-party transactions via the help of one or more external entities,often referred to as "centers", "servers" or "trustees", a notion thatappears in a variety of cryptographic contexts (see, for instance,Needham and Schroder and Shamir). A method for simultaneous contractsigning and other transactions involving one trustee (called a "judge")has been proposed by Ben-Or et al. Their method relies on an externalentity only if one party acts dishonestly, but it does not provideguaranteed simultaneity. In that technique, an honest party is notguaranteed to have a signed contract, even with the help of the externalentity. Ben-Or et al only guarantee that the probability that one partygets a signed contract while the other does not is small. The smallerthis probability, the more the parties must exchange messages back andforth. In still another method, Rabin envisions transactions with thehelp of external party that is active at all times (even when notransaction is going on), but also this method does not provideguaranteed simultaneity.

The prior art also suggests abstractly that if one could construct atrue simultaneous transaction (e.g., extended certified mail), then thesolution thereto might also be useful for constructing other types ofelectronic transactions (e.g., contract signing). As noted above,however, the art lacks an adequate teaching of how to construct anadequate simultaneous transaction.

There has thus been a long-felt need in the art to overcome these andother problems associated with electronic transactions.

BRIEF SUMMARY OF THE INVENTION

It is an object of the invention to provide true simultaneous electronictransactions.

It is a further object of the invention to provide electronictransactions having guaranteed simultaneity in a two-party scenario withthe assistance of a visible trusted party.

It is another more specific object of the invention to provide idealcertified mail wherein the identity of the sender is temporarilywithheld from the recipient during the transaction.

It is still another object of the invention to provide a simultaneouselectronic transaction wherein the recipient can prove the content of amessage and a receipt provided to the sender proves the content of themessage.

These and other objects are provided in an electronic communicationsmethod between a first and a second party, with assistance from at leasta trusted party, enabling an electronic transaction in which the firstparty has a message for the second party. A first method, called thesending receipt approach, begins by having the first party transmit tothe trusted party a custom version of the message intelligible to thesecond party but not by the trusted party. In response, the methodcontinues having the trusted party verify that the first partytransmitted the custom version of the message and that the second partyis the intended recipient thereof. The trusted party then transmits tothe second party information from which the second party can retrievethe message. Then, the trusted party transmits to the first party asending receipt indicating that the message has been transmitted to thesecond party. At least one of the transmissions is carried outelectronically.

According to an alternative embodiment, called the return receiptapproach, the method begins having the first party transmit to thetrusted party a custom version of the message intelligible to the secondparty but not by the trusted party. In response, the method continues byhaving the trusted party verify that the first party transmitted thecustom version of the message and that the second party is the intendedrecipient thereof. The trusted party then transmit to the second partyfirst information which determines the message but retains the messageand the identity of the first party hidden from the second party. A testis then done to determine whether within a given time the second partytransmits to the trusted party a return receipt indicating that thesecond party received the transmission of the first information from thetrusted party. If the second party transmits the return receipt to thetrusted party, the method has the trusted party (i) transmit to thesecond party second information from which the second party, using thefirst and second information, can retrieve the. message, and (ii)transmit to the first party a receipt that the second party has receivedthe message. Again, at least one of the transmissions is carried outelectronically.

Many other electronic communications methods are described wherein thefirst party, the second party and the trusted party undertake anexchange of transmissions, at least one of which occurs electronicallyand in an encrypted manner, such that if all transmissions reach theirdestinations the second party only receives the message if the firstparty receives at least one receipt. At least one receipt received bythe first party enables the first party to prove the content of themessage received by the second party.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference should be made to the following DetailedDescription in conjunction with the accompanying drawings in which:

FIG. 1 illustrates a preferred sending receipt method of the invention;and

FIG. 2 illustrates a preferred return receipt method of the invention.

DETAILED DESCRIPTION

In each of the schemes described below, there is a user Alice and a userBob. The trusted party may be a financial center that facilitates SETsamong its customers, including Alice and Bob. For convenience, thefollowing description shows how to make extended certified mail"simultaneous", although the invention is not so limited. In the contextof an ICM system, the third party is called the Post Office. Theinventive scheme is also preferable to ordinary certified mail becausethe message receipt also guarantees the content of the message. Also,the electronic transaction is faster, more informative and moreconvenient than traditional certified mail, and its cost should besubstantially lower.

In the preferred embodiment, an extended certified mail system isprovided using a single "trusted" party. The system is implemented in acomputer network, although it should be realized that telephone, fax,broadcast or other communication networks may be used. Thus, withoutlimitation, it is assumed that each user in the system has a computercapable of sending and receiving messages to and from other computersvia proper communication channels.

Each user in the system has a unique identifier. Alice's identifier isdenoted by A, and Bob's identifier is B. The identifier of the PostOffice is denoted by PO. Users and the Post Office can digitally signmessages. Thus, each has a secret signing key and a matching publicverification key. If m is a message (string), then SIG_(A) (m) indicatesAlice's signature of m. (It is assumed, for convenience, that m isalways retrievable from its signature. This is the case for mostsignature schemes, and it is otherwise possible to consider a signedmessage as the pair consisting of the message and its signature.)

Users and the Post Office can encrypt messages by means of a public-keyencryption algorithm (e.g., RSA). Thus, each has a public encryption keyand a corresponding secret decryption key. E_(A) (m), E_(B) (m), andE_(PO) (m) denote, respectively, the encryption of a message m with thepublic key of Alice, Bob, and the Post Office. For simplicity, it isassumed that these schemes are secure in the sense that each of EA', EB'and E_(PO) appear to behave as a random function. The system can besuitably modified if these functions are much less secure.

Again, for simplicity these encryption algorithms are deterministic anduniquely decodable. Thus, given a value y and a message m, all canverify whether y is the encryption of m with, for example, the PostOffice's key, by checking whether E_(PO) (m) equals y. (If theencryption scheme is probabilistic, then one may convince another that astring y is an encryption of a message m by providing m together withthe random bits that were used to encrypt m.) (It may also be possibleto use encryption algorithms that are not uniquely decodable, forinstance, if it is hard to decrypt a given ciphertext in two differentways.) For simplicity, if public key encryption algorithms are used,messages are encrypted directly with a public-key algorithm, however,one could first encrypt a message conventionally with some key k, andthen encrypt k with a public-key algorithm. (Thus, to decrypt m, oneneed only just decrypt k). Indeed, private key encryption algorithmscould be used throughout.

According to the invention, it is desired to devise practical [CMmethods, involving more visible trustees, that (1) produce receiptsclosely tied to the content of the mail, (2) hide (at least temporarily)the identity of senders from the recipients, and (3) can be implementedin a pure electronic manner (at least, as long as senders and recipientsbehave properly).

THE SENDING-RECEIPT METHOD

To describe the various methods of the present invention, assume thereare senders, receivers and post offices. It should be clear, however,that each of these may be any entity, such as a person, a person'srepresentative, a physical device (in particular, a tamper-proof device)or a collection of people and/or physical devices. For example, the PostOffice could be a tamper-proof device located in a device or facilitybelonging to Alice and/or Bob.

Also, in the preferred embodiments, Alice, Bob and the Post Office allhave public encryption keys and matching secret decryption keys (e.g.like in the RSA algorithm), that their cryptosystem behave like randomfunctions, and that they can digitally sign messages (preferably by analgorithm different than their encryption one). An encryption of astring s with the public key of Alice, Bob, and the Post Office will bedenoted, respectively, as E_(A) (s), E_(B) (s), E_(PO) (s). The digitalsignature of a string s by Alice, Bob, and the Post Office will,respectively, be denoted by SIG_(A) (s) SIG_(B) (s), and SIG_(PO) (s).(it is understood that messages can be one-way hashed prior to beingsigned, together with other valuable information, such as recipient,time, transaction type, sender and recipient, etc.) Identifiers forAlice, Bob, and the Post Office will, respectively, be denoted by A, B,and PO.

In the present invention, a customization step is used by Alice toidentify (usually to the Post Office) herself as the sender and Bob the(ultimate) recipient of some string s (usually a message m encryptedwith Bob's public encryption key). This step prevents cheating. Inparticular, it prevents an enemy from sending to Bob the same messageAlice does and in a certified manner. Any customization step is in thescope of the present invention. A simple such step consists of havingAlice send the Post Office a value z=E_(PO) (A, B, E_(B) (m)). Indeed,should the Post Office receive from some user X other than Alice thevalue z, upon decrypting it with its secret decryption key, it willcompute (A, B, E_(B) (m) and thus realize that there is a problem withthe identity of the sender.

The above customization works well if the encryption function behaves asa random function. Alternative and more sophisticated customizations,all within the scope of the invention, are also possible. For instance,Alice may send the Post Office z=E_(PO) (SIG_(A) (ICM, B, E_(B) (m))),where the identifier ICM signifies that z is part of an electroniccertified mail transaction. Such identifiers may be dismissed,particularly if standard formats are adopted for ICM transactions. Asanother example, Alice may achieve customization by using identifiersand her digital signature both outside and inside the Post Office'sencryption layer: z=SIG_(A) (A, B, E_(PO) (SIG_(A) (A, B, E_(B) (m)))).In some contexts (e.g., but without limitation, when the communicationschannel is believed to be secure), it may suffice to use a customizationwhere the identity of the sender and the message are sent separately,whether or not signed together (e.g., (B, E_(B) (m)) or SIG_(A) (B,E_(B) (m))).

The basic electronic certified mail system with a visible party is nowdescribed. At least one transmission in the method below (and preferablyall) are electronic, where by "electronic" we mean any non-physicaldelivery, including, without limitation, transmissions via telephones,computer networks, radio, broadcasting, air waves, and the like.

THE BASIC METHOD

A1 Sender Step): Let m be the message that Alice desires to send Bob bycertified mail. Then Alice sends to the Post Office a customized versionof m that is intelligible by Bob, but not by the Post Office.

(e.g., she sends the value z=E_(PO) (A, B, E_(B) (m)).

Preferably, Alice's communication is digitally signed and indicates, ina standard manner, that it should be delivered certified to Bob. (e.g.,using an alternative customization step, just for illustration purposes,she sends z=E_(PO) (SIG_(A) (ICM, B, E_(B) (m))), or E_(PO) (SIG_(A) (B,E_(B) (m))).) It is also preferable that Alice specifies additionalvaluable information, such as time information and information easilyalerting the Post Office that her transmission is part of an ICMtransaction.

PO1 (Post Office Step): After receiving Alice's transmission, the PostOffice preferably uses the customization step to verify that Alice isthe sender and Bob the intended recipient of this piece of electroniccertified mail. If this is the case, then it sends to Bob informationenabling him to retrieve Alice's message, preferably using digitalsignatures, and indicating to him but hiding from others that it is apiece of ICM from Alice to him, (e.g., it sends y=E_(B) (SIG_(PO) (ICM,A, B, E_(B) (m))), or ICM, y, so that Bob it is more easily alerted thathe is dealing with an ICM transaction).

If Alice has made use of digital signatures (e.g., if she has signedE_(B) (m) or a value comprising it in Step AI, then it is preferablethat these signatures are also forwarded to Bob. (e.g., if Alice sentthe Post Office the value SIG_(A) (E.sub. B(m)) as part of her Step AI,then the Post Office may send E_(B) (SIG_(PO) (ICM, A, B, SIG_(A) (E_(B)(m)))) to Bob in this step.)

In addition, the Post Office also sends Alice her receipt. Preferablythis involves a digital signature that it has sent Alice a message toBob in a way intelligible to him. Such a receipt preferably alsoindicates other valuable information, such as the time, T, when this wasdone. (e.g., it sends Alice E_(A) (SIG_(PO) (ICM, A, B, T E_(B) (m))).)

The Post Office of the Sending-Receipt Method is visible because ittakes part to the transaction whether or not Alice and Bob behavehonestly. It should be understood that each party to the transaction(whether the Sending Receipt method or the Return Receipt method orother methods of the invention) may participate in the transaction via arepresentative. In such case, for instance, Alice may be identified witha representative. Alternatively, it should be understood that a partymay only be partially-identified with his own representative. Forinstance, the message may be sent to Bob's representative but beintelligible only to Bob himself.

The Post Office is not trusted with the knowledge of Alice's (cleartext)message to Bob; indeed, it cannot understand m. It is trusted, instead,to perform a proper delivery, which makes the Sending-Receipt Method a(logically) simultaneous transaction; indeed, Alice gets Bob's receiptif and only if Bob gets information from which he can retrieve Alice'smessage. The simultaneity of the transaction is not affected by theorder in which the Post Office sends the encrypted message to Bob andthe receipt to Alice. What matters is that it sends both of them ornone, or that functionally equivalent steps are taken to preservesimultaneity.

Alice's receipt certifies that her message was properly sent to Bob, butnot the fact that Bob actually received it. The Post Office is indeedtrusted with properly sending messages and this can be construed toinclude that these messages sent by the Post Office reach theirdestinations. But receiving a piece of mail (i.e. having a letterdeposited in the right mailbox or having an electronic message reach theright computer) may not mean that the recipient is aware of thedelivery. It is this awareness that is necessary in many scenarios, suchas many legal applications. This is why the present method is called asending-receipt method. The method thus is the electronic equivalent oftraditional certified mail, without return receipt.

The electronic nature of the method, however, requires some specialcare, such as a proper customization step. Indeed, in traditionalelectronic mail, it is easy to achieve that an enemy cannot send to Bobthe same message Alice does, because, if he does not know this message apriori, he is prevented from copying by the envelope containing it.E_(B) (m), however, is a kind of envelope that prevents understanding m,but can be copied. Indeed, if Alice sends E_(B) (m) to Bob withoutcustomization and an enemy intercepts her transmission, he may easilysend the same ciphertext E_(B) (m) to Bob (by certified mail or not),creating various potential problems. This has been a recognized problemin cryptography in different contexts. Notice that having Alice justsign E_(B) (m)) does not solve the problem. Indeed, an enemy X whocaptures SIG_(A) E_(B) (m)), easily learns the value E_(B) (m) (becausesignatures generally guarantee the message, but do not hide it), and canthen easily sign it himself, that, send (SIG_(X) E_(B) (m)) as part ofhis own ICM transaction.

In the present invention, encryption of the message m with a keyassociated to a party X, E_(X) (m), should be broadly construed toinclude any information that enables X (and only X) to retrieve themessage m. For instance, E_(X) (m) may consist of the encryption with akey associated with X of another key with which the message m hasalready been encrypted. (This other encryption of m may already be inpossession of X, or sent separately to X, or publicly-known, orotherwise knowable by X).

The electronic sending-receipt method is more than equivalent totraditional certified mail (without return receipt). Indeed, if digitalsignatures are properly used as exemplified above, not only does Boblearn (and can prove) Alice's identity and get Alice's message, he canalso prove to third parties what this message is. For instance, if thePost Office (in Step PO1), sends him the value v=(SIG_(PO) (E_(B) (A, B,E_(B) (m))), if Bob hands out v and m to a third party, the latter cancompute u=E_(B) (m) by means of Bob's public encryption key, and then(again due to Bob's public encryption key) the value s=E_(B) (A, B, u),and, finally he can verify whether v is the Post Office's digitalsignature of s. If the Post Office is trusted with respect to deliverjust what it is supposed to, then this is sufficient proof that Bob gotm from Alice via ICM. Indeed, Alice's message can be defined to bewhatever string x can, when encrypted with Bob's key, yields the valueE_(B) (m). If such x is nonsensical, then Alice sent Bob a nonsensicalmessage. This convention prevents Bob from claiming that he did notreally get Alice's message in this way.

Should one prefer to trust the Post Office even less, and still enableBob to prove which message he got from Alice, it suffices, for instance,that Alice makes use of digital signatures; e.g., she sends z=E_(PO)(SIG_(A) (ICM, B, E_(B) (m))) in Step A1, and the Post Office sendsSIG_(A) (ICM, B, E_(B) (m)) preferably further signed and encrypted--toBob in Step PO1. This way, by revealing m, Bob can prove via Alice'ssignature that she indeed sent him m by extended certified mail.

The electronic sending-receipt method is superior to traditionalcertified mail in another respect. Alice's receipt needs not to be ageneric one, but enables her to prove the exact content of the messageshe sent Bob. In fact, if her receipt consists of the Post Office'sdigital signature that it has sent z=E_(PO) (A, B, E_(B) (m)) to Bob, byrevealing m she enables anyone to compute v=E_(B) (m) from Bob's publicencryption key, and thus E_(PO) (A, B, v) from the Post Office's publicencryption key, so as to verify that the result is indeed z, the valuesigned by the Post Office.

The ICM is superior to other electronic methods for certified mail inmany respects. In particular, simultaneity is guaranteed, rather thanbeing just highly probable. Moreover, since the Post Office providesAlice with her receipt, Bob cannot decide whether or not to accept amessage from her based on the sender's identity.

It is recommended that each transmission occur within the encryptionlayer of its immediate recipient. (e.g., in Step A1, it is preferablethat Alice sends E_(PO) (SIG_(A) (ICM, B, E_(B) (m))) rather thanSIG_(A) (ICM, B, E_(B) (m)).) Among other things, this way oftransmitting denies an enemy monitoring such transmissions valuableinformation, such as sender-receiver information. That is, if an enemylearns E_(B) (SIG_(PO) (ICM, B, E_(B) (m))), the transmission of thePost Office to Bob of Step PO1, and it further knows that this value wastravelling from the Post Office to Bob, it may deduce that Bob is therecipient of a piece of certified mail, but it may not easily learn thatthe sender was Alice because this piece of data is protected under Bob'sencryption key. Indeed, the Post Office may make this harder byprocessing its PO1 steps relative to different senders and recipients ina different order. If at every time interval there are sufficiently manysenders, this will confuse the enemy even more. In addition, the PostOffice may arrange for dummy transmissions, so as to have sender trafficthat always looks reasonably busy. This enables it to process real andfake sending request in an interwoven order without creating any delays.If desired, however, most recipient-encryption protections could bedispensed with.

Finally, the reference to m as the message Alice wants to send to Bobshould be broadly construed to mean any message that Alice has for Bob,including a message that is chosen before the transaction, but arises oris implicitly defined by the transaction.

VARIANTS AND IMPROVEMENTS. Many variants of the above and followingmethods are applicable and within the scope of the invention. Inparticular, customization may be dismissed all together or achieved bymeans of other electronically transmissible methods. The sender'sidentity may be used for customization purposes, but hidden from therecipient in some applications. Alice's message may not be hidden fromthe Post Office. (e.g., if this is a machine, or consists of acollection of individuals, many of which must cooperate to learn themessage). Also, digital signatures should be broadly construed toinclude any form of electronically transmissible guarantees.Conventional encryptions may be used in alternative or in conjunctionwith public-key one. A higher level of interaction may be adopted in ourmethods (e.g., if one wishes to get additional valuable benefits, suchas zero-knowledge). In particular, each of our Steps can be realized bymeans of more rounds of communications. Time information may be includedin some or all of the transmissions, each party may be a multiplicity ofparties, and so on.

Proper use of time information may be important. For instance, assumeAlice specifies (preferably in an untamperable way) to the Post Officethe time in which her string was sent. If the Post Office receives ittoo late (or too early), it may not send any communication to Bob norany receipt to Alice. (Indeed, if the certified message from Alice toBob is an order to buy stock that day, Bob may not be responsible forfailing to obey the order if he got it unreasonably late.)Alternatively, the Post Office may specify in its communication to Bobthe time when this was sent, preferably in a digitally signed manner, sothat, among other things, Bob may in many contexts prove that he gotAlice's message too late. The Post Office may also deny Alice herreceipt if her AI transmission arrives too late, or it may issue her aproperly "time-stamped" receipt, but such receipt may be deemed void forcertain purposes if some of the time information indicated is deemed tobe too late.

Multiplicities of parties may also be quite useful. For instance, Alicemay deal with two or more Post Offices for delivering the same messageto Bob. In this case, having two independent receipts for the samemessage constitutes a much greater evidence that at least one of thePost Offices has properly sent the message to Bob.

Alternatively, Alice may conveniently deal with a single Post Office,but this is an entity comprising or coordinating several agents. Such anentity may give Alice's communication to two or more of its agents, andthese will send Alice's message to Bob in the proper manner, generatingthe proper receipts. These receipts may then be given by the agents toAlice directly, or to the (or some other) entity, who then will givethem (or sufficiently many of them, or a consolidated version of some ofthem) to Alice.

It is also useful that the Post Office agents possess pieces of a secretkey of the Post Office. In this case one may wish that they collaboratefor decrypting some communications sent to the Post Office in anencrypted manner. If some of these communications are intended forsomeone else (e.g., if one such communication consists of or includesE_(B) (m) encrypted with the Post Office' key), then the Post Officesagents may enable directly the recipient to decrypt the communication(e.g., they may enable only Bob to reconstruct E_(B) (m). This may beachieved, for instance, by a proper use of threshold cryptosystems.Indeed, if single agents are incapable of understanding messagesencrypted with the Post Office's key, it may be unnecessary for Alice tofirst encrypt her message m to Bob with Bob's key. She may directlyencrypt m with such a multi-party controlled key of the Post Office, theagents of the Post Office will then enable Bob to decrypt m, while theagents and/or the Post Office will give Alice a proper receipt. A singleor sufficiently few agents of the Post Office will not, however, be ableto understand m.

Another improvement is the following. In the Sending-Receipt Method Bobmay claim that he did not "really" receive Alice's message because helost his decryption key. To solve this problem, the Post Office mayperform the Return Mail Service only for those users who guarantee toback up their secret decryption keys in a deemed acceptable way; sothat, for instance, such a Bob may not use his having lost his secretkey as a defense against an unwanted piece of certified mail. Forexample, to be eligible to receive a piece of ICM, it can be requiredthat Bob performs (or that he has have already performed) a givenkey-escrow procedure relative to his keys used for electronic certifiedmail purposes. This way, Bob may always be capable of retrieving hissecret key.

To create further incentive for Bob to undergo this key-escrow step, itmay be stipulated that a user cannot be a sender of an ICM system,unless he also is a potential receiver with a properly backed up key. Inany case, the Post Office (or a court if and when it is invoked) mayregard Bob as a legitimate receiver if he had given a suitable andtimely indication that he accepts a given key of his to be used for ICMpurposes.

Alternatively, Bob may be regarded to be a legitimate recipient of apiece of ICM by the mere fact that a key of his is known to be suitablybacked up (e.g., by an approved key-escrow method), and it was this keyof his to be used as the recipient-key in a ICM transaction. The factthat Bob has elected a key of his to be usable as a recipient-key forICM purposes, of the fact that a key of his is suitably backed up, may,for instance, be part of a certificate of this key (e.g., of thecertificate showing that this key belongs to Bob). Alternatively, Bobmay coincide for ICM purposes with a plurality of entities each having apiece of "his" decryption key, so that sufficiently many of theseentities may recovery any message encrypted with Bob's encryption key.Thus, the Post Office may communicate with each or sufficiently-many ofthese entities.

Alternatively, if, as described above, the Post Office has severalagents so as to offer a service based on a type of thresholdcryptosystem and messages are not further encrypted with a recipientkey, there is no worry that the recipient may lose his key. Indeed, itwill be the Post Office who will enable him to get his message fromAlice. Notice also that a weaker customization of Alice's message to Bobmay be realized within Bob's encryption layer, or even solely withinthis layer.

For instance, Alice may send to the Post Office z=E_(PO) (w), wherew-E_(B) (A, B, m) or (w=E_(B) (SIG_(A) (m))), just to give an example ofan alternative customization in this setting. In this setting, themessage received by Bob is conventionally declared to be m only if w isan encryption of (A, B, m), that is, if it identifies in some standardway Alice as the sender and Bob as the recipient. For instance, if Bobis a stockbroker and m a purchaser order of a given stock, if v does notconsist of A, B, m, Bob is not obliged to buy that stock. This way ofproceeding facilitates the job of the Post Office (for instance becauseit may not be asked to check any customization) and still offersvaluable protection.

The Return-Receipt Method

Despite its utility, the Sending-Receipt Method suffers from thefollowing problem: Bob may never receive (or claim not to have received)Alice's (cleartext) message, not because he lost (or claims to havelost) his decryption key, but because he never got (or claims to havenot gotten) any communication from the Post Office. For instance, if acomputer network is used for communicating during an ICM transaction, afailure may occur or may claimed to have occurred.

To solve such problems, the Sending-Receipt Method is augmented asfollows. After receiving the communication of Step PO1, Bob may be askedor required to send a proper receipt back. This receipt may be sent tothe Post Office (or directly to Alice, since at that point Bob may havealready learned Alice's identity). Such receipt, if obtained, simplifiesmatters a great deal, and offers much greater guarantees to everyoneinvolved. Upon receiving it, the Post Office may store it, or send it toAlice as an additional receipt, or issue to Alice an equivalentadditional receipt.

Alternatively, the Post Office may withhold Alice's receipt of Step PO1,and give it to her only if Bob does not produce any receipt for the PostOffice's PO1 transmission to him. Moreover, if Bob does not produce areceipt, the Post Office may take some of the actions described belowthat enable it to obtain a receipt from Bob in some other manner orenable it to produce a suitable affidavit (e.g., that Bob willinglyrefused Alice's message). It is expected that Bob will readilyacknowledge the Post Office PO1 transmission most of the times. Indeed 'he knows that Alice gets a sending receipt anyway, and that the PostOffice will obtain a receipt from him (or issue a suitable affidavit)anyway.

Moreover, it can be arranged that eligible recipients in the ICM systemscan incur additional charges if alternative actions to obtain a receiptfrom them are taken.

In the method just described, Bob is required to produce a receipt afterhe learns Alice's message, and her identifier if so wanted. Thereturn-receipt method below, instead, elicits a receipt from Bob beforehe knows the message or the sender's identity. Nonetheless, the newreceipt may still be used, if desired, to prove to third parties thecontent of Alice's message. In describing the preferred embodiment ofthe new return-receipt method, the same computational framework of theSending-Receipt Method is assumed. In fact, the first step is identicalto that of the Sending-Receipt Method.

THE RETURN-RECEIPT METHOD

A1 (Sender Step): Let m be the message that Alice wishes to send to Bobin a certified manner. Then she sends the Post Office an encryptedversion of m intelligible by Bob but not by the Post Office.

Her transmission is preferably customized, signed, and indicates that itis part of an ICM transaction together with other valuable information,such as the transmission time. (e.g., she send z=E_(PO) (SIG_(A) (ICM,B, T, E_(B) (m))).) PO1 (Post Office Step): The Post Office verifies whois the sender and who is the intended recipient, and

It sends Bob information that determines his message without making ityet intelligible to him.

In so doing the Post Office preferably hides Alice's identify, alertsBob that he is dealing with an ICM transaction, and makes use of digitalsignatures. (e.g., it sends Bob y=E_(PO) (SIG_(PO) (ICM, recipient: B,z)) or ICM, SIG_(PO) (E_(B) (B, z))).

It also sends Alice a guarantee that it has done so.

Preferably, in so doing it also specifies other valuable information,such as time information T. (e.g., it sends Alice the value x=E_(A)(SIG_(PO) (z, T).)

B1 (Recipient Step): Bob sends the Post Office a receipt that he got theabove transmission. (e.g., he sends E_(PO) (w), where w=SIG_(B)(recipient, z)).

Possibly, Bob's receipt also indicates other valuable information.

PO2 (Post Office Step): If Bob sends back the proper receipt within aspecified amount of time, then the Post Office

1. sends Alice a suitable receipt; for instance, EA (w), and

2. sends Bob information that enables him to reconstruct Alice's message(e.g., E_(B) (m)).

If Alice has signed her transmission to the Post Office in Step A1(e.g., she has sent the value z envisaged above), then it is preferablethat the Post Office also enables Bob to guarantee the content of themessage (e.g., it send Bob SIG_(A) (ICM, B, T, E_(B) (m))).

If Bob does not send back the proper receipt to the Post Office within agiven amount of time, then the Post Office may either do nothing (inwhich case the only form of receipt in Alice's possession is what shehas received from the Post Office in Step PO1); or inform Alice that ithas received no receipt from Bob; or make a record that no receipt hasbeen sent by Bob; or

PO3 takes action to deliver Alice's message to Bob in a way that isguaranteed to produce a return-receipt (e.g., it delivers the message toBob by means of traditional certified mail). The thus obtained returnreceipt (or an affidavit that Bob refused willingly the mail) is thensent to Alice.

The above ICM transaction is a (logically) simultaneous one, and onethat hides the identity of sender for as long as necessary.

The same variants and modifications for the Sending-Receipt Method canalso be applied to the above method. Other variants may also be applied.In particular, the sending-receipt given by the Post Office to Alice instep PO1 may never be sent (e.g., because it may become irrelevant onceAlice gets a return-receipt), or sent only if Bob does not produce areturn-receipt fast enough. Also, the Post Office may receive atransmission from Alice before it performs its PO2 step. For instance,if Alice sends E_(A) E_(B) (m) in Step A1, she is required to remove herencryption layer before Step PO).

If Bob receives the value z sent to him by the Post Office and properlyacknowledges it (i.e., if all involved--including the. communicationnetwork--behave properly), the Return-Receipt Method is most efficient,convenient and economical, since, in particular, it can be implementedin a pure electronic manner. In the Return-Receipt Method, Bob has evenmore incentives to produce his receipt than in the above modification ofthe Sending-Receipt Method. Indeed, for instance, while Alice may get aproper sending-receipt anyway that can prove the content of her messageto him, if Bob refused to issue his better receipt, he will not evenread the cleartext message, nor learn the sender's identity. Thus, whileAlice already has a good form of receipt, by refusing to collaborate hehas absolute nothing!

Despite the fact that Bob will almost always produce his receipts, thefollowing are some practical ways to implement Step PO3. Here, the PostOffice aims at delivering m to Bob in exchange for a receipt. Becausethe Post Office will not in general know m, it suffices that it deliversE_(B) (m), or a string encompassing it. Without intending anyrestrictions, assume that the Post Office aims in Step PO3 at deliveringthe value z=E_(PO) (SIG_(PO) (ICM, A, B, T, E_(B) (m))), envisaged inStep A1 and sent in digital form via a computer network.

To begin with, as discussed the delivery of z may occur by some versionof traditional certified mail. For instance, the Post Office may print zon paper and then traditionally certified-mail deliver it to Bob, via a"mailman" which may or may not work for the Post Office (e.g., he maybelong to UPS, Federal Express or other agency). The return-receiptobtained this way does not guarantee the content of the message,however, it may guarantee it in an indirect, yet adequate, way. Forinstance, it can be used in conjunction with a proper receipt of thePost Office (e.g., a digital signature of z sent to Alice in Step PO1)to provide evidence of the message actually delivered to Bob.

This format of z may be inconvenient, and thus create an extra incentivefor Bob to issue a receipt in Step B1. Nonetheless, even this format ofz may enable Bob to recover m: for instance, he may scan it (withcharacter recognition) and then to put it into digital form prior todecrypting.

More conveniently, the Post Office may store z in a computer disketteand have it delivered in person to Bob. This form of delivery enablesBob to produce a return-receipt that guarantees directly the content.Indeed, upon being physically given the diskette, Bob may easilyretrieve z from it and digitally sign it. This signature may then begiven back to the mailman in the same diskette or in a differentdiskette. The mailman may indeed carry with him a device capable ofchecking Bob's signature. (This is quite feasible also because forsignature checking such a device needs not to have access to any specialsecret).

Since Bob would be reading the message prior to signing it, it may bepreferable to elicit first from Bob an ordinary generic receipt prior togiving him the diskette (in any case, the mailman can sign an affidavitthat Bob accepted the diskette).

Alternatively, the diskette may contain not z, from which Bob mayretrieve easily Alice's message, but information that pins down themessage but does not yet reveal the message to Bob. For instance, thesame value y=E_(PO) (SIG_(PO) (ICM, recipient: B, z)) that we haveenvisaged the Post Office to send Bob in Step PO1. Only after Bobdigitally signs y will the mailman enable Bob to retrieve Alice'smessage. For instance, the device carried by the mailman (preferably ina tamper-proof portion) may release a secret key by which Bob can removethe Post Office encryption layer. Alternatively, this key (or the rightdecryption, or information sufficient to decrypt anyway) can be sent,upon a proper signal, to the mailman, his device, or Bob directly by avariety of means (e.g., by phone, radio, etc.).

It should be understood that the present invention can be used toachieve additional properties, so as to yield other electronictransactions or make simultaneous other electronic transactions. Forinstance, the present ICM methods may be used to simultaneously signcontracts.

As for another example, it should also be appreciated that the ICMmethods also yield very effective auctions methods with many biddingprocedures (e.g., "public" or "secret" biddings). Indeed, Alice may be abidder, Bob an entity handling the bids (e.g., deciding who are thewinners of the auction, what goods are sold for what prices, how manyunits of a given good should be assigned to each bidder, and so on), andthe message m for Alice to Bob is Alice's bid. Alice wishes to place herbid in return of a proper receipt, preferably one that can be used toprove (among other information, such as time information) the exactvalue of her bid. This way, if necessary, she can contest the "victory"of someone else. By means of our envisaged mechanisms for ICMs (inparticular, of time information, encryption, and signatures), we canimplement auctions in many different ways. Without any limitationintended, let us illustrate two possible implementations of twosimple-minded auctions: one where the bidding process is "public" andone where it is "secret."

Consider first the following example of public bidding (which may occur,for instance, in a computer network). Assume there is a singleindivisible good for sale in the auction, which will be assigned by aprocess combining both price and time. For making things cleaner, let usassume that there is a sequence of times T₁,T₂, . . . and T'₁,T'₂, . . .where T_(i) ≦T'_(i) (e.g. T'_(i) =T_(i) +Δ, where Δ is a fixedquantity.) A bidder gets the goods for a price P if there is anindex/such that she has offered a price P within time T_(i) and nohigher price has been offered by time T'_(i). (It is thus advisable thatT'_(i) be greater than T'_(i), so that there is sufficient time toprocess all bids properly.)

The current status of the bid can be made available (e.g., by Bob), sothat the bidders know what the highest offered price, P, at the"current" time, T, is. If Alice is willing to raise the price, she mustdo so before it is too late. Since her bid consists of her message toBob, and it is assumed that the Sending-Receipt Method is in use, Alicethen sends here bid to the Post Office in Step A1. If this transmissionarrives within a useful time (i.e., before some time T'), the PostOffice issues her a receipt with an indication of the proper time(interval), and then forwards her bid to Bob. Bob then processes thebids relative to the next time interval (e.g. announces the new highestprice, or that the auction is over because no one offered more than theprevious highest price).

As can be seen, the Post office may in this application be an entitycooperating with Bob, even for only auction purposes. Nonetheless, itmay be preferable that it be made sufficiently independent from Bob. Forinstance, though prices are meant to be public, it is useful that bidsare encrypted with Bob's key, so that the Post office will not know thecontent of a bid when it issues a receipt. Thus, in particular, itcannot be blamed to have refused to issue a receipt (e.g., by claimingthat it had arrived too late) in order to favor a particular bidder. Onthe other hand, Bob, though capable to read the bids, is held back fromcheating by the fact that the bidders have been issued valid and veryinformative receipts.

The system can be further enhanced so that the identity of the bidder isnot revealed to Bob (at least as long as the auction is going on), but,say, only the price and time information. Also, at each time (interval),rather than making available just the new highest bid/price, Bob maymake available all incoming (legitimate) bids, so that the volume ofbidding is also learned by the bidders. Also, rather than processing theincoming bids in batches and in time intervals, Bob may process them oneat a time (preferably in the order they got in) and with individualtimes. (e.g., he may still announce only the currently highest bid withits own individual time T, and when a bid with price P and time T isannounced, and no higher price than P is offered before time T+Δ thenthe auction is over.) Again, return receipt may also be used in thisapplication.

It should also be noted that if Alice has sent her bid in a very timelyfashion and has not received any timely receipt within a certain time,then she may still time to take additional steps to ensure that her bidis properly delivered. Again, having two or more Post Offices, or PostOffices comprising a plurality of agents, may be very useful herebecause this enhance her chance of getting at least one valid receipt.

In particular the Post Office agents may be implementing a thresholdcryptosystem. A plurality of Post Offices or multi-agent Post Officesmay also benefit Bob, because he is better guaranteed that each bid willbe properly forwarded to him. There may also be more than one Bob, and(each) Bob too may comprise several agents. It should be appreciatedthat if there are a multiplicity of agents involved it is also possiblethat Bob and the Post Office coincide, that is, that they simply arenames for different functions performed by the same auctioning entity.

Notice also that the ICM methods may immediately accommodate secretbidding mechanism. Indeed, any of the methods above may be used for thispurpose. For instance, consider batch-processing of bids when there is asingle time interval Tand a single, disjoint and subsequent timeinterval T'. Then the Post Offices issues receipts only for those bidsreceived during T, and forwards all these bids to Bob, but only duringT'. This way, no bid can be learned before the right time, unless thereis an illegitimate cooperation between Bob and the Post Office (orsufficiently many agents). In all these scenarios, customization isquite useful since it also prevents that an enemy can copy Alice's bidso as to be guaranteed that he will win the auction if she does.

Finally, it should be noticed that the methods extend to more complexauctions, (e.g., there may be may goods of arbitrary nature--such asairwave bandwidths--, these goods may be divisible, and thus, forinstance, the highest bid may take only a portion of a good, and so on.)In general it will be important to also indicate in each bid theparticular, auction, good, and the like.

Although the invention has been described in detail, it should beappreciated that the scope of the invention is limited only, by thefollowing claims.

What is claimed is:
 1. A method of transmitting a message using atrusted party, comprising:a sender causing a customized version of themessage to be provided to the trusted party, the customized version ofthe message having a first portion intelligible to the trusted party butnot to a recipient of the message and a second portion intelligible tothe recipient of the message but not to the trusted party; the trustedparty examining the first portion of the customized version of themessage to determine the recipient; the trusted party causing at leastthe second portion of the customized version of the message to beprovided to the recipient; and the trusted party causing a receipt forthe message to be provided to the sender.
 2. An electronic communicationmethod comprising:sending from a first party a message for a trustedparty, the message having first and second portions, the first portionbeing intelligible to the trusted party, identifying a second party as arecipient of the second portion and being unintelligible to the secondparty, the second portion being unintelligible to the trusted party andintelligible to the second party; and receiving by the first party areceipt indicating that the second portion of the message was receivedby the second party.
 3. The method of claim 2 wherein the first portionof the message is information encrypted to render it unintelligible tothe second party.
 4. The method of claim 2 wherein the second portion ofthe message is information encrypted to render it unintelligible to thetrusted party.
 5. The method of claim 2 further comprising signing atleast one of the first and second portions of the message by the firstparty.
 6. The method of claim 2 wherein the receipt includes arepresentation of the second portion of the message.
 7. The method ofclaim 2 wherein the receipt includes a signature of at least therecipient.
 8. The method of claim 2 wherein:the second portion includesinformation which has been processed to render it unintelligible to thetrusted party and intelligible to the second party; and the secondportion can be reconstructed using the information.
 9. The method ofclaim 2 wherein an identity of the second party is intelligible from themessage only by the trusted party.
 10. The method of claim 2 wherein anidentity of the second party is intelligible from the receipt only bythe first party.
 11. An electronic communication methodcomprising:receiving by a trusted party a message from a first party,the message having first and second portions, the first portion beingintelligible to the trusted party, identifying a second party as arecipient of the second portion and being unintelligible to the secondparty, the second portion being unintelligible to the trusted party andintelligible to the second party; sending by the trusted party thesecond portion of the message to the second party; and sending by thetrusted party to the first party a receipt indicating that the messagewas delivered to the second party.
 12. The method of claim 11 whereinthe first portion of the message is information encrypted to render itunintelligible to the second party.
 13. The method of claim 11 whereinthe second portion of the message is information encrypted to render itunintelligible to the trusted party.
 14. The method of claim 11, whereinthe message includes the first party's signature of at least one of thefirst and second portions of the message.
 15. The method of claim 11wherein:the second portion is information which has been processed torender it unintelligible to the trusted party and intelligible to thesecond party; and the message can be reconstructed using theinformation.
 16. The method of claim 11 wherein an identity of thesecond party is intelligible from the message only by the trusted party.17. The method of claim 11 wherein an identity of the second party isintelligible from the receipt only by the first party.
 18. The method ofclaim 11 wherein sending the second portion of the message to the secondparty includes signing at least the second portion of the message withthe trusted party's signature.
 19. The method of claim 18 whereinsending the second portion of the message to the second party furthercomprises processing the signed second portion to render it intelligibleto the second party but unintelligible to at least one party other thanthe second party.
 20. The method of claim 11 wherein the receiptincludes a representation of the second portion of the message.
 21. Themethod of claim 11 wherein the receipt includes a signature of at leastthe recipient.
 22. The method of claim 11 wherein sending the secondportion of the message to the second party by the trusted partycomprises:generating by the trusted party a processed message whichdetermines the second message but which is unintelligible to the secondparty; sending the processed message to the second party by the trustedparty; receiving by the trusted party a receipt indicating that thesecond party received the processed message; and sending the secondmessage to the second party in a form intelligible to the second party.23. The method of claim 22 wherein the processed message can bereconstructed from the second message.
 24. The method of claim 22wherein the receipt indicating that the second party received theprocessed message includes a signature of the second party.
 25. Anelectronic communication method comprising:receiving by a receiver afirst message from a trusted party, the message having a portionnormally intelligible to the receiver which has been processed to renderit unintelligible to the receiver; sending by the receiver a receipt forthe message to the trusted party; and receiving by the receiver a secondmessage from the trusted party, the second message including the portionintelligible to the receiver.
 26. The method of claim 25, wherein thereceipt can be reconstructed using the portion of the second messageintelligible to the receiver.
 27. The method of claim 25, wherein thefirst message is intelligible to the trusted party.
 28. The method ofclaim 25, wherein sending the receipt includes signing the first messageby the receiver.
 29. The method of claim 28, wherein sending the receiptfurther includes processing the receipt to render it intelligible to thetrusted party but unintelligible to at least one other party.